Update cert-manager example

Updates certificate generation to match what is done in upstream.
Tweaks some of the language and instructions.

Author: Jonathan S. Katz

kustomize/certmanager/README.md

@@ -1,7 +1,7 @@
 # Using Cert-Manager with Postgres Operator 5.x
 
 ## Introduction
-Starting with version 5.0 of the Crunchy Data Postgres Operator for Kubernetes, TLS is on by default to secure all communication to/from the postgres cluster.  By default, the Operator will generate the necessary certificates for the Postgres cluster and components.  It is possible to provide custom cetificates by storing the certificates in a Kubernetes Secret and pointing the Operator to those secrets in the Postgres manifest.
+Starting with version 5.0 of PGO, the Postgres Operator from Crunchy Data, TLS is on by default to secure all communication to/from the postgres cluster.  By default, the Operator will generate the necessary certificates for the Postgres cluster and components.  It is possible to provide custom certificates by storing the certificates in a Kubernetes Secret and pointing the Operator to those secrets in the Postgres manifest.
 
 Cert-Manager can be used to dynamically generate and manage certificates in Kubernetes.   Cert-Manager can generate self-signed certificates or certificates from several certificate authorities.
 
@@ -14,7 +14,10 @@ The first step is to deploy Cert-Manager to the Kubernetes cluster.  To do this,
 After Cert-Manager has been deployed, the next step used in this example is to setup a Certificate Issuer.  The Certificate Issuer can be configured to be local to a namespace or cluster wide.  In the examples provided here, a cluster wide issuer is created.
 
 ### Configure Issuer
-```kubectl apply -k certman```
+
+```
+kubectl apply -k certman
+```
 
 This Kustomize deployment performs the following actions:
 
@@ -34,11 +37,13 @@ Two certificates will be generated by the Kustomize deployment.  The first certi
 
 In the Postgres manifest, two entries are added to point to the newly created Secrets.  The customTLSSecret key references the <cluster>-tls secret while the customReplicationTLSSecret references the <cluster>-repl-tls secret.
 
-### Deploy Postgres Cluster
-```kubectl apply -k postgres```
+### Deploy Postgres
+
+```shell
+kubectl apply -k postgres
+```
 
 The following process takes place during the deployment:
 * Custom certificate is generated for Postgres using the CA ClusterIssuer created in the previous steps.
 * Custom certificate is generated for Postgres replication using the CA ClusterIssuer.
 * Postgres cluster deployed using the custom certificates.
-

kustomize/certmanager/postgres/cert-repl.yaml

@@ -9,26 +9,20 @@ spec:
   renewBefore: 360h # 15d
   subject:
     organizations:
-    - crunchydata
+    - hippo-org
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: _crunchyrepl
   isCA: false
   privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 2048
+    algorithm: ECDSA
+    size: 256
   usages:
-    - server auth
-    - client auth
+    - digital signature
+    - key encipherment
   # At least one of a DNS Name, URI, or IP address is required.
   dnsNames:
   - _crunchyrepl
-  # uris:
-  # - spiffe://cluster.local/ns/zoo/hippo
-  #ipAddresses:
-  #- 192.168.0.5
-  # Issuer references are always required.
   issuerRef:
     name: ca-issuer
     # We can reference ClusterIssuers by changing the kind here.

kustomize/certmanager/postgres/cert.yaml

@@ -9,26 +9,20 @@ spec:
   renewBefore: 360h # 15d
   subject:
     organizations:
-    - crunchydata
+    - hippo-org
   # The use of the common name field has been deprecated since 2000 and is
   # discouraged from being used.
   commonName: postgres-operator
   isCA: false
   privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 2048
+    algorithm: ECDSA
+    size: 256
   usages:
-    - server auth
-    - client auth
+    - digital signature
+    - key encipherment
   # At least one of a DNS Name, URI, or IP address is required.
   dnsNames:
   - hippo-primary
-  # uris:
-  # - spiffe://cluster.local/ns/zoo/hippo
-  #ipAddresses:
-  #- 192.168.0.5
-  # Issuer references are always required.
   issuerRef:
     name: ca-issuer
     # We can reference ClusterIssuers by changing the kind here.

kustomize/certmanager/postgres/postgres.yaml

@@ -10,8 +10,7 @@ spec:
   customTLSSecret:
     name: hippo-tls
   instances:
-    - name: pgc
-      replicas: 2
+    - replicas: 2
       dataVolumeClaimSpec:
         accessModes:
         - "ReadWriteOnce"